How do a make a cookie in Laravel and specify the SameSite attribute (Lax, None, Strict)?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
Title: Managing Cookies and Specifying SameSite Attributes in Laravel Body:

Cookies play an essential role in modern web applications as they allow websites to store small bits of data that can be accessed later by the same site, providing a better user experience. When using Laravel, you need to consider security aspects such as SameSite attributes. In this blog post, we'll walk you through creating cookies and specifying their SameSite attribute values (Lax, None, Strict) in Laravel 8.

Creating a Cookie

To create a cookie using the Laravel framework, follow these steps:

  1. Create a middleware class that handles user authentication and token management.
  2. Within your middleware method, set up the cookie like this:
cookie()->queue("loginToken", $loginToken, 60*24*365*10);

Here, we use the cookie method from the Laravel helpers, which allows us to set up a cookie with the name "loginToken" and value "$loginToken". The fourth parameter, 60*24*365*10, sets the expiration date to 10 years from today.

Specifying SameSite Attributes

The SameSite attribute is a security measure that restricts how and when cookies are sent. It helps prevent cross-site request forgery (CSRF) attacks, where attackers can manipulate the state of web apps by submitting requests to a website on behalf of users.

  1. To set the SameSite attribute on your cookie, add it as an optional fourth parameter in your cookie method call:
cookie()->queue("loginToken", $loginToken, 60*24*365*10, ['sameSite' => 'Lax']);

Here we assigned the 'Lax' value to the SameSite attribute. You can choose from three options:

  • Strict: The browser will send cookies only when using a first-party request. This is the most secure option but may cause issues with some modern websites that rely on third-party services.
  • Lax: Cookies are sent for first-party and top-level domains, but not across different domains or subdomains. This mode can be used as a compromise between security and compatibility.
  • None: The browser will send cookies in all circumstances. This option should only be used if your website requires cookies for its functionality.

Testing and Implementing Changes

Once you've updated your middleware class, it is essential to test the new implementation thoroughly, ensuring that the cookies are set correctly. Additionally, monitor their expiration dates and security levels to maintain a safe and stable application. If all tests pass successfully, implement these changes into your production environment for maximum efficiency.

Conclusion

In this blog post, we discussed the process of creating cookies in Laravel and specifying their SameSite attributes. By implementing proper security measures, you can ensure that your web applications remain resilient against potential vulnerabilities. Remember to test your changes thoroughly before deploying them into a production environment.